I've used cloudflare tunnels for a while and it's been mostly fine but I'm now considering moving to a VPS running Pangolin (https://pangolin.net/). For my own personal use (and to overcome some of the limitations of the cloudflare free tier) I've also used Tailscale. I considered Tailscale for my family but unfortunately it's just too much of a barrier, access to immich for my family needs to be transparent whatever location they are in. I also plan to use Pangolin for other self hosted services in the future.
Here's my setup, any suggestions or comments for improvement appreciated.
immich sits behind my local traefik proxy with certs issued for my domain. I run split DNS at home (AdGuard Home + backup pihole) so I can use the same URL as when remote.
Cloudflare used for my domain name resolution.
immich OA Auth login using pocket ID
immich Password login disabled
For immich shared links I’m using immich public proxy
For remote access to immich, I’m currently testing a VPS running Pangolin connected to my home via a newt tunnel. Newt is running in docker in a non privileged container under Proxmox. Newt then connects to my local proxy and in turn to immich on a different computer.
On the VPS immich access is geo blocked to my country only.
immich app login uses custom proxy headers
For immich web access a Pangolin SSO account is required with 2 factor authentication.
crowdsec deployed (updated daily)
ufw enabled ports 80(tcp), 443(tcp) 51820(udp) and 21820(udp)
ufw blocklists applied from IPsum (updated daily)
Unattended OS security upgrades applied daily.
VPS provider firewall used additionally on the same ports as listed above.
Other possible considerations?
Put newt in it's own VLAN with access to my local traefik proxy only and outbound to Internet?
Add crowdsec to my traefik proxy or other traefik alerting/security plugins I should consider?